Thinking about or using mobile devices and applications in your heath care, health plan, or related operations or struggling to meet the demands of employees, patients, plan members or others to allow use of these tools? Be sure that you’ve taken appropriate steps to design, implement and manage legal responsibilities and risks associated with the development and use of these tools.

While the popularity, accessibility and cost-effectiveness of mobile devices and applications provides a strong incentive for health plans, health care providers, their business associates, workforce members and customers to use mobile devices and applications, the use of these technologies and applications to collect, access, or use personal health care, financial, or other sensitive information presents special challenges and risks. Unfortunately, as the use of these tools proliferates, federal officials are increasingly concerned that the data security protections afforded by many of the devices and applications in use on these highly popular smart phone, tablet and other mobile devices and applications is highly lacking. SeeFTC Settlement With Mobile Device & App Developer Shows Developers & Businesses Need To Manage Mobile App & Data Security.

As federal regulators and law enforcement responds to growing concerns about cyber security and other risks, heath care, health plan and other businesses, their employees, customers, and other business partners jumping on the mobile device and application bandwagon, health, application bandwagon, and the device and application developers developing and offering these tools must take appropriate steps to manage the personal health, financial, and other sensitive information and data that these tools use, create, access or disclose.

Of course, HIPAA shouldn’t be the only standard considered when health care providers, health plans or their business partners and vendors design and use mobile applications. In addition to HIPAA’s requirements on PHI, health care providers, health plans, health care clearinghouses, and their business partners also generally can expect that mobile devices and applications used in connection with their operations by patients, customers, employees or others also may use access, collect or disclose credit card, financial and a broad range of other sensitive information required to be protected under federal laws like the Fair & Accurate Credit Transactions Act (FACTA) or other Federal Trade Commission (FTC) Rules, state data security, data breach, identity theft or other privacy rules or both. Depending on the nature of the data and the circumstances of the unanticipated use or disclosure, invasion of privacy or other common or statutory laws also may come into play.

With the use of these applications by consumers and business proliferates, Congress, OCR, the FTC, state regulators and others are upping the responsibilities and the liability of businesses that fail to appropriately consider and implement security in their mobile devices and applications. Following on OCR’s restatement of its HIPAA regulations, the Obama Administration’s announcement of new cyber security initiatives, and a plethora of other federal and state regulatory and enforcement actions against businesses for data security missteps, the FTC recently launched a campaign to ensure that companies secure the software and devices mobile device and application providers provide consumers.

On June 4, 2013, the FTC also plans to host a public forum on malware and other mobile security threats in order to examine the security of existing and developing mobile technologies and the roles that various members of the mobile ecosystem can play in protecting consumers.

Along side this educational outreach, the FTC also is moving to punish businesses that fail to act responsibly to protect sensitive data. This trend is illustrated by the FTC’s announcement this week of its first settlement with a mobile device manufacturer.

FTC Charges Against HTC America

This week, the FTC announced that mobile device giant HTC American, Inc. will to settle FTC charges that the company failed to take reasonable steps to secure the software it developed for its smart phones and tablet computers and introduced security flaws that placed sensitive information about millions of consumers at risk.

A leading mobile device manufacturer in the United States, HTC America develops and manufactures mobile devices based on the Android, Windows Mobile, and Windows Phone operating systems. HTC America has customized the software on these devices in order to differentiate itself from competitors and to comply with the requirements of mobile network operators.

In its first-ever complaint against a mobile device or application developer, the FTC charged HTC America failed to incorporate and administer appropriate safeguards for personal financial and other sensitive data accessed and used in these applications when designing or customizing the software on its mobile devices. Among other things, the complaint alleged that HTC America failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities, failed to follow well-known and commonly accepted secure coding practices, and failed to establish a process for receiving and addressing vulnerability reports from third parties.

To illustrate the consequences of these alleged failures, the FTC’s complaint details several vulnerabilities found on HTC America’s devices, including the insecure implementation of two logging applications – Carrier IQ and HTC Loggers – as well as programming flaws that would allow third-party applications to bypass Android’s permission-based security model.

Due to these vulnerabilities, the FTC charged, millions of HTC devices compromised sensitive device functionality, potentially permitting malicious applications to send text messages, record audio, and even install additional malware onto a consumer’s device, all without the user’s knowledge or consent. The FTC alleged that malware placed on consumers’ devices without their permission could be used to record and transmit information entered into or stored on the device, including, for example, financial account numbers and related access codes or medical information such as text messages received from healthcare providers and calendar entries about doctor’s appointments. In addition, malicious applications could exploit the vulnerabilities on HTC devices to gain unauthorized access to a variety of other sensitive information, such as the user’s geolocation information and the contents of the user’s text messages.

Moreover, the FTC complaint alleged that the user manuals for HTC Android-based devices contained deceptive representations, and that the user interface for the company’s Tell HTC application was also deceptive. In both cases, the security vulnerabilities in HTC Android-based devices undermined consent mechanisms that would have otherwise prevented unauthorized access or transmission of sensitive information.

HTC America Settlement

The settlement not only requires the establishment of a comprehensive security program, but also prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices. Under the settlement agreement, HTC American must:

Fix vulnerabilities found in millions of HTC devices;

Establish a comprehensive security program designed to address security risks during the development of HTC devices; and

Undergo independent security assessments every other year for the next 20 years.

HTC America and its network operator partners are also in the process of deploying the security patches required by the settlement to consumers’ devices. Many consumers have already received the required security updates. The FTC is encouraging consumers using HTC America applications to apply the updates as soon as possible.

The FTC Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 3-0-2, with Chairman Jon Leibowitz not participating and Commissioner Maureen Ohlhausen recused. The FTC will publish a description of the consent agreement package in the Federal Register shortly.

In accordance with FTC procedures, the settlement agreement will be subject to public comment through March 22, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically or in paper form using instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

Act To Manage Mobile Application Device & Security

Given the expanding awareness, expectations and enforcement of OCR, FTC and others, health care, health plan and other industry participants deciding whether and when to use, or allow others to use mobile devices or applications to access data or carry out other activities and the mobile device or other technology developers and providers offering products or services to these organizations must get serious about security.

These and other related activities send a clear message that health care, health insurance mobile device and application users and developers must incorporate and administer appropriate processes and safeguards to protect PHI, personal financial and other sensitive data. In response to these developments, industry mobile device and application developers and the health care, health insurance and other businesses must consider carefully before deploying or allowing others to deploy or use these tools in relation to data within their operations or systems. Before and when using or permitting customers, business partners, employees or others to use tools, these organizations must ensure the adequacy of the design and security safeguards for their devices, software and applications, as well as their disclaimers and associated consumer disclosures and consents. Because of the special legal and operational expectations for these organizations, health care, health insurance and other industry provides must resist pressure to allow the use of these tools unless and until they can verify that these legal and operational requisites are fulfilled.

For More Information Or Assistance

If you need assistance reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination, as well as a wide range of other workshops, programs and publications on discrimination and cultural diversity, as well as a broad range of compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experiencehere. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

If you found this article of interest, you also may be interested in other recent Solutions Law Press, Inc. articles by Ms. Stamer including:

The National Labor Relations Board’s announcement of its approval of settlement agreements between two UPMC hospitals and the Service Employees International Union (SEIU) reminds hospital and other health industry employers to exercise care when dealing with union organizing and other activities protected by the National Labor Relations Act (NLRA) and other federal labor laws.

The settlements relate to unfair labor practices charges the SEIU filed with the NLRB in response to actions taken by the hospital during the early stages of an organizing campaign before the union even had filed a petition for an election. Among other things, the SEIU complained that the hospitals violated the NLRB by terminating or otherwise punishing workers for supporting the union. The union also charged that the hospitals overly broad solcial medial, solicitation and code of conduct rules improperly interfered with the organizing rights of workers protected by the NLRA.

In the settlement agreements, UPMC Presbyterian Shadyside agreed to offer reinstatement and backpay to two employees who were discharged after supporting the union, and to reimburse two other employees who lost wages due to a suspension and other actions. The employer also agreed to rescind overly-broad policies related to social media, solicitation rules and a code of conduct at all UPMC facilities, to post Notices to Employees in multiple break rooms in four Pittsburgh hospitals, and to train supervisors to avoid future unlawful behavior.One remaining charge related to the use of company e-mail by employees to communicate about the union was not resolved and will proceed to trial before an Administrative Law Judge. The trial date is tentatively set for February 20.

Under the Obama Administration, the NLRB in recent years has shown aggressive support for unions and their organizing and collective bargaining activities. As part of these activities and in response to the emergence of social media and other electronic communications, the NLRA increasingly has challenged the use of broad policies restricting the use of Facebook or other social media, e-mail or other similar communications by workers when it is perceived these policies punish or chill worker’s ability to communicate or organized concerning terms and conditions of employment. As these and other commonly challenged practices are widely used within the health care industry, health industry employers are urged to take proper steps to review their policies and their administration to minimize exposure to these and other unfair labor practice challenges.

For More Information Or Assistance

If you need assistance managing your workforce, reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas and Board Certified in Labor and Employment Law by the Texas Board of Legal Specialization, Ms. Stamer has more than 25 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination, as well as a wide range of other workshops, programs and publications on discrimination and cultural diversity, as well as a broad range of compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experiencehere. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

If you found this article of interest, you also may be interested in other recent Solutions Law Press, Inc. articles by Ms. Stamer including:

The Department of Health and Human Service (HHS) hopes a new electronic health record (EHR) format for documenting medical care for children developed by the Agency for Healthcare Research and Quality (AHRQ)with support from the Centers for Medicare and Medicaid Services (CMS) will help developers create better EHRs for use by health care providers caring for children.

According to AHRQ, the children’s EHR format establishes a” blueprint” for EHRs to better meet the needs of health care providers and pediatric patients by combining what CMS and AHRQ consider the “best-practices in clinical care, information technology, and insights from experts in children’s health.” Developed to address commonly occuring problems in functionality, data elements and other challenges arising when traditional EHRs have been used to document pediatric care, AHRQ hopes the new format will guides EHR developers in understanding the requirements for functionality, data standards, usability and interoperability of an EHR system to more optimally support the provision of health care to children – especially those enrolled in Medicaid or the Children’s Health Insurance Program (CHIP) as well as provide guidance for EHR system purchasers and policy makers in assessing functionality of EHRs. For more information or to access the format, see here.

For More Information Or Assistance

If you need assistance reviewing or tightening your policies and procedures, conducting training or audits, responding to or defending an investigation or other enforcement action or with other health care related risk management, compliance, training, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer, may be able to help. Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 24 years experience advising health industry clients about these and other matters. Her experience includes advising hospitals, nursing home, home health, rehabilitation and other health care providers and health industry clients to establish and administer compliance and risk management policies; prevent, conduct and investigate, and respond to peer review and other quality concerns; and to respond to Board of Medicine, Department of Aging & Disability, Drug Enforcement Agency, OCR Privacy and Civil Rights, HHS, DOD and other health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns.

A popular lecturer and widely published author on health industry concerns, Ms. Stamer continuously advises health industry clients about compliance and internal controls, workforce and medical staff performance, quality, governance, reimbursement, and other risk management and operational matters. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her presentations and programs include How to Ensure That Your Organization Is In Compliance With Regulations Governing Discrimination, as well as a wide range of other workshops, programs and publications on discrimination and cultural diversity, as well as a broad range of compliance, operational and risk management, and other health industry matters.

Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. You can get more information about her health industry experiencehere. If you need assistance responding to concerns about the matters discussed in this publication or other health care concerns, wish to obtain information about arranging for training or presentations by Ms. Stamer, wish to suggest a topic for a future program or update, or wish to request other information or materials, please contact Ms. Stamer via telephone at (469) 767-8872 or via e-mail here.

If you found this article of interest, you also may be interested in other recent Solutions Law Press, Inc. articles by Ms. Stamer including:

The financial and operational impacts of regulation and legislative oversight in the health care industry are pervasive and constantly changing. No less intrusive are the challenges organizations face every day from a tax perspective. This program will focus on some of these challenges as a result of recent legislation, including health care reform and fiscal cliff agreement, and current Internal Revenue Service (“IRS”) activity. Included in the discussion will be the additional requirements for certain hospitals under Internal Revenue Code Section 501(r) – CHNAs, financial assistance policies, charges, and billing and collections – effects of the fiscal cliff agreement on employers, and relevant areas of Internal Revenue Service activity, including audit focus, regulations, announcements and PLRs. Woven throughout the discussion will be the IRS’ focus on governance.

Registration & Meeting Details

The meeting scheduled from 11:30 a.m. to 1:30 p.m. on February 19, 2013 at the offices of the Dallas Ft Worth Hospital Council, 250 Decker Drive, Irving, TX 75062-2706 will feature a complimentary luncheon underwritten by Cynthia Marcotte Stamer, P.C. for those who timely R.S.V.P. Networking and lunch service will begin at 11:30. Our program will begin at Noon.

There is no charge to participate in the meeting. However space is limited and available only on a first come, first serve basis. To ensure your spot and help us to arrange for adequate space and refreshments for this meeting, R.S.V.P. hereas soon as possible and no later thanNoon on February 8, 2012 to reserve your spot. Walk in guests will be accommodated on a space-available basis only.

About The Speakers

With over 34 years of experience in public accounting, Nancy Evetts is Deloitte Tax LLP’s Mid-America regional tax leader for the healthcare provider sector and tax exempt tax practice. She has worked with large, integrated for-profit and not-for-profit health systems, as well as universities and related research facilities and joint ventures. Her work with exempt organizations has included issues on governance, private inurement, tax compliance reporting, unrelated business income, and alternative investments.

Nancy is a frequent speaker, both internally and externally, on topics of interest to tax exempt organizations. She earned her M.S. in Accountancy from the University of Houston in 1978 and her B.A. in German from the University of Houston in 1974. She is a member of the AICPA, TSCPA, HFMA, TEGE Gulf Coast Council and has served on not-for-profits boards. She is currently on the board of Catholic Charities of the Archdiocese of Galveston Houston.

Joining Nancy is Brooke Kitchen, a tax manager with Deloitte Tax LLP and a regional tax technical resource in the health care provider sector and tax exempt organizations practice. Over the course of her six years with Deloitte Tax LLP, Brooke has served many health care and other tax-exempt organizations, taxable corporations, flow-through entities, and individual clients. Brooke has been an internal and external speaker on health care and tax exempt topics including a recent presentation at the University of Houston and also at the local Houston chapter annual tax update for the AWSCPA where she discussed effects of the Patient Protection and Affordable Care Act. Brooke is an instructor for Deloitte’s national training on health care provider and not-for-profit tax issues, and is a Form 990 technology development leader in our national health care industry practice. She earned her B.A. in Accountancy from the University of Houston and is a member of the AICPA and TSCPA.

Mark Your Calendars & Save The Date

The NTHCPA has an exciting series of future programs planned for upcoming months. Mark your calendars and save the date to participate in these upcoming NTHCPA Meetings and programs:

The NTHCPA thanks the law firm of Cynthia Marcotte Stamer, P.C. for its generous underwriting support of the February 19, 2013 luncheon. The law firm of Cynthia Marcotte Stamer, P.C. provides risk management, compliance, regulatory and public policy advocacy, operations, privacy, peer review and other staffing, employee benefits, and a broad range of other general and special counsel services for a broad range of public and private hospitals, physician organizations, skilled nursing facilities, managed care and quality organizations, health IT, health industry suppliers consulting and other service providers, and other health industry clients. Founder and Managing Shareholder Cynthia Marcotte Stamer has more than 25 years experience helping health industry clients manage the legal and operational challenges of operating under federal and state health care, tax, managed care and insurance, health care fraud and reimbursement, employment, credentialing and peer review, HIPAA and other information privacy, and other regulatory and public policy concerns. A Fellow in the Texas & American Bar Association, former National Kidney Foundation of North Texas Board Compliance Chair, former Board President of the Richardson Development Center (now Warren Center), Vice-President of the NTHCPA, past-Chair of the ABA Health Law Section Managed Care & Insurance IG, former Gulf States IRS TEGE Council Exempt Organizations Coordinator, and Executive Director of Project COPE: The Coalition on Patient Empowerment, Ms. Stamer also is widely recognized for her extensive health industry publications, training, speaking and service in the leadership in a broad range of health industry, professional, civic and other non-profit organizations For more information, see www.cynthiastamer.com or contact Cynthia at 469.767.8872.

About the NTHCPA

NTHCPA exists to champion ethical practice and compliance standards and to provide the necessary resources for ethics and compliance Professionals and others in North Texas who share these principles. The vision of NTHCPA is to be a pre-eminent compliance and ethics group promoting lasting success and integrity of organizations within North Texas.

Would you or someone you know like to join the NTHCPA, get notice of upcoming meetings or events and network on relevant professional developments with other health care professionals? Stay on top of information about upcoming meetings and share and dialogue with other NTHCPA members about health care compliance challenges and developments by participating in our meetings and events, joining our Linked In Group here and checking out the NTHCPA News here. To be added to our invitation list, we also encourage interested persons to make sure we have your current contact information by registering for the meeting or sending your current contact information including name, title, company, preferred mailing address, e-mail, and telephone number to Vice-President Cynthia Marcotte Stamer here.

Sponsorship and Other Involvement Opportunities

Would you like to show your support for the NTHCPA by sponsoring the luncheon or hosting a social hour? Want to help plan upcoming meetings? Suggest a speaker or topic? Help with the newsletter or website? Serve on the steering committee or get more involved in other ways? Get more information about membership or involvement with the NTHCPA? Send your inquiry by e-mail here.

This communication may be considered a marketing communication for certain purposes. If you wish to update your e-mail for purposes of or would prefer not to receive future e-mail concerning meetings or other activities of the North Texas Healthcare Compliance Professionals Association or other marketing and promotional mailings from it, please send an email with the word “unsubscribe” in its subject heading here.

NTHCPA invites you to share this invitation with others who might be interested in this topic or other NTHCPA.